# Coves Production Environment Variables
# Copy to .env.prod and fill in real values
# NEVER commit .env.prod to git!

# =============================================================================
# PostgreSQL (AppView Database)
# =============================================================================
POSTGRES_DB=coves_prod
POSTGRES_USER=coves_user
POSTGRES_PASSWORD=CHANGE_ME_SECURE_PASSWORD_HERE

# Full connection string (alternative to individual vars above)
# DATABASE_URL=postgres://coves_user:password@localhost:5432/coves_prod?sslmode=require

# =============================================================================
# PDS (Personal Data Server)
# =============================================================================
# PDS URL for XRPC calls
PDS_URL=https://pds.coves.social

# Generate with: openssl rand -hex 32
PDS_JWT_SECRET=CHANGE_ME_64_HEX_CHARS

# Admin password for PDS management
PDS_ADMIN_PASSWORD=CHANGE_ME_SECURE_ADMIN_PASSWORD

# K256 private key for DID rotation
# Generate with: openssl rand -hex 32
PDS_ROTATION_KEY=CHANGE_ME_64_HEX_CHARS

# Coves instance PDS account (for creating community records)
PDS_INSTANCE_HANDLE=coves.social
PDS_INSTANCE_PASSWORD=CHANGE_ME_INSTANCE_PASSWORD

# Optional: Email configuration for account recovery
# PDS_EMAIL_SMTP_URL=smtp://user:pass@smtp.example.com:587
# PDS_EMAIL_FROM_ADDRESS=noreply@coves.social

# =============================================================================
# Identity & Federation
# =============================================================================
# PLC Directory URL for DID resolution
# Defaults to https://plc.directory if not set
# PLC_DIRECTORY_URL=https://plc.directory

# Instance DID (did:web or did:plc)
INSTANCE_DID=did:web:coves.social

# Instance domain (required if not using did:web)
# INSTANCE_DOMAIN=coves.social

# Identity cache TTL (Go duration format)
# IDENTITY_CACHE_TTL=5m

# =============================================================================
# JWT Authentication
# =============================================================================
# Coves supports two JWT verification methods:
#
# 1. HS256 (shared secret) - For your own PDS
#    - Fast, no network calls needed
#    - Requires shared PDS_JWT_SECRET
#    - Only for PDSes you control
#
# 2. ES256 (DID resolution) - For federated users
#    - Works with any PDS (bsky.social, etc.)
#    - Resolves user's DID document to get public key
#    - No shared secret needed
#
# HS256_ISSUERS: Comma-separated list of PDS URLs allowed to use HS256
# These PDSes MUST share the same PDS_JWT_SECRET with Coves
HS256_ISSUERS=https://pds.coves.social

# Skip JWT signature verification (DEVELOPMENT ONLY!)
# Set to false in production for proper security
AUTH_SKIP_VERIFY=false

# =============================================================================
# OAuth Configuration
# =============================================================================
# AppView public URL (used for OAuth callback and client metadata)
APPVIEW_PUBLIC_URL=https://coves.social

# Seal secret for encrypting session tokens (AES-256-GCM)
# REQUIRED - Generate with: openssl rand -base64 32
OAUTH_SEAL_SECRET=CHANGE_ME_BASE64_32_BYTES

# Optional: OAuth client secret and key ID (for confidential clients only)
# Most deployments use public clients and don't need these
# OAUTH_CLIENT_SECRET=
# OAUTH_CLIENT_KID=

# =============================================================================
# Mobile Universal Links & App Links
# =============================================================================
# Required for iOS Universal Links
# Format: <Team ID>.<Bundle ID>
# Find Team ID: Apple Developer Portal -> Membership
# Find Bundle ID: Xcode project -> General -> Bundle Identifier
APPLE_APP_ID=ABCD1234EF.social.coves.app

# Required for Android App Links
# Format: Android package name (reverse domain notation)
ANDROID_PACKAGE_NAME=social.coves.app

# SHA-256 fingerprint of your Android app's signing certificate
# Get with: keytool -list -v -keystore release.jks -alias release
# Format: 64 hex characters with colons (AA:BB:CC:...)
ANDROID_SHA256_FINGERPRINT=AA:BB:CC:DD:EE:FF:11:22:33:44:55:66:77:88:99:00:AA:BB:CC:DD:EE:FF:11:22:33:44:55:66:77:88:99:00

# =============================================================================
# Security & Encryption
# =============================================================================
# For encrypting community credentials in database
# Generate with: openssl rand -base64 32
ENCRYPTION_KEY=CHANGE_ME_BASE64_ENCODED_KEY

# Secret for HMAC signing of pagination cursors
# Generate with: openssl rand -base64 32
CURSOR_SECRET=CHANGE_ME_CURSOR_SECRET

# Optional: Restrict community creation to specific DIDs
# Comma-separated list. If not set, any authenticated user can create communities.
# COMMUNITY_CREATORS=did:plc:abc123,did:plc:def456

# =============================================================================
# Jetstream Configuration (Real-time Event Indexing)
# =============================================================================
# User profile indexing
JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=app.bsky.actor.profile

# Optional: Filter Jetstream events to specific PDS
# JETSTREAM_PDS_FILTER=pds.coves.social

# Community event indexing (profiles and subscriptions)
# COMMUNITY_JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.profile&wantedCollections=social.coves.community.subscription

# Post indexing
# POST_JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.post

# Vote indexing
# VOTE_JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.feed.vote

# Comment indexing
# COMMENT_JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.comment

# Aggregator indexing
# AGGREGATOR_JETSTREAM_URL=

# =============================================================================
# Cloudflare (for wildcard SSL certificates)
# =============================================================================
# Required for *.coves.social wildcard certificate
# Create at: Cloudflare Dashboard -> My Profile -> API Tokens -> Create Token
# Template: "Edit zone DNS" with permissions for coves.social zone
CLOUDFLARE_API_TOKEN=CHANGE_ME_CLOUDFLARE_TOKEN

# =============================================================================
# Server Configuration
# =============================================================================
# HTTP server port
PORT=8080

# Environment
ENV=production
IS_DEV_ENV=false

# Skip did:web domain verification (DEVELOPMENT ONLY!)
# MUST be false in production to prevent domain spoofing
SKIP_DID_WEB_VERIFICATION=false

# =============================================================================
# Optional: Versioning
# =============================================================================
VERSION=latest